Enterprises are creating and collecting more data than ever, and government agencies are no exception. But when that organization is part of the intelligence community, each record is also a risk that needs to be managed and mitigated.

Training should be addressed as part of any records management strategy, said Jill Singer, chief information officer at the National Reconnaissance Office, but with sensitive data, that training is even more critical.  

"The insider threat is always there. I think previously, [that concern] has probably been reserved for classified information," said Singer while speaking at AIIM/info360.

"I would encourage every company to have a standard information security training program that they have to go through. Ours includes records management-specific issues," she added.

Security is typically addressed in records storage, and many ECM solutions have permission and authorization settings. But is that enough? The insider threat may not be addressed explicitly in many enterprise content management systems.

What's more, most records managers aren't also working with things like network defense perimeter technology and intrusion detection/prevention technology. Singer predicts that we may soon see more of that protection baked in to content management products.

She suggests there is a need for audit and analysis tools, as well as those that look at exfiltration patterns outside of the enterprise.

"I think that you will see new tools emerge--perhaps even tools that were originally used only in a classified environment--and become more commonplace at all kinds of corporations [for] watching what the users are doing, developing patterns of what is appropriate usage of data by an individual and developing alarm systems and whistles for when that person is stepping outside of normal activity and normal usage," said Singer. "That doesn't mean you've got an insider that's gone bad. But it does mean you have an individual who is doing things as they would not normally do, and that's just a flag to check and see what they're up to," she said.

For NRO, that type of employee surveillance would be acceptable, but for other enterprises, she said, that could launch an entire conversation on privacy policies.

The elephant in the room, especially for government entities, are the recent information breaches released to Wikileaks. While Singer's heightened concern for secure data management may not translate to all organizations, it should make content managers stop and consider what would happen if trade secrets, intellectual property or end-users' personally identifiable information were to be consciously accessed and leaked.

Is it necessary to have a single solution that handles records management and monitoring, though? Or will layering products satisfy this need for the few entities that desire it? How can a product do both security and records management well?

Related Articles:
Government electronic records management falling short, not a priority 
NARA: Most agencies at risk of bad records management 
Government content and transparency take the stage at AIIM/info360 2011